{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35033", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.427Z", "datePublished": "2026-04-14T22:28:47.558Z", "dateUpdated": "2026-04-15T13:36:26.787Z"}, "containers": {"cna": {"title": "Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x"}, {"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"}], "affected": [{"vendor": "jellyfin", "product": "jellyfin", "versions": [{"version": "< 10.11.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:29:33.684Z"}, "descriptions": [{"lang": "en", "value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7."}], "source": {"advisory": "GHSA-jh22-fw8w-2v9x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:36:17.456385Z", "id": "CVE-2026-35033", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:36:26.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:36:17.456385Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:36:23.253Z"}}], "cna": {"title": "Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection", "source": {"advisory": "GHSA-jh22-fw8w-2v9x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jellyfin", "product": "jellyfin", "versions": [{"status": "affected", "version": "< 10.11.7"}]}], "references": [{"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x", "name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7", "name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T22:29:33.684Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35033", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:36:26.787Z", "dateReserved": "2026-03-31T21:06:06.427Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T22:28:47.558Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7."}], "id": "CVE-2026-35033", "lastModified": "2026-04-14T23:16:28.817", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:28.817", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.11.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jellyfin", "source": "cna", "vendor": "jellyfin"}, "product": "jellyfin", "vendor": "jellyfin"}], "analysis": {"en": {"generated_at": "2026-04-14T23:20:50.064924+00:00", "value": {"mitigation_remediation": ["Upgrade Jellyfin to version 10.11.7 or later", "Restrict access to the /Videos/{itemId}/stream endpoint with firewall or application\u2011level ACLs", "Enforce authentication or authorization on the stream endpoint before processing StreamOptions"], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected product is Jellyfin, the open-source media server. Versions before 10.11.7 are vulnerable; the issue was corrected in release 10.11.7. The exploit relies on the /Videos/{itemId}/stream endpoint, which lacks an Authorize attribute and accepts any lowercase query parameter without validation. Users who can obtain item GUIDs (typically authenticated) can use them to target specific media items.", "description_and_impact": "The vulnerability allows an attacker to inject malicious arguments into the ffmpeg command line through the StreamOptions query parameter, enabling arbitrary read of server files such as /etc/shadow. Because the payload is rendered as text in the video stream response, an attacker can exfiltrate sensitive data without needing to capture the stream output separately. The flaw is a consequence of missing authorization checks and unsanitized input handling, making it a severe confidentiality breach.", "risk_and_exploitability": "The CVSS base score is 9.3, indicating critical severity. EPSS is not available, so current exploitation probability cannot be quantified. The vulnerability is not listed in CISA's KEV catalog. Attackers can reach the vulnerable endpoint over the network, assuming the server is exposed. Since the endpoint accepts arbitrary query parameters, an unauthenticated attacker can craft requests to read arbitrary files by embedding a drawtext filter that references a textfile argument. The absence of authentication for the stream endpoint makes exploitation possible without needing user credentials, though obtaining GUIDs still requires authentication. The risk is therefore high, pending the availability of a patch or mitigation."}}}}, "created": "2026-04-15T13:48:23.615574+00:00", "updated": "2026-04-15T14:31:57.023513+00:00", "vendors": ["jellyfin", "jellyfin$PRODUCT$jellyfin"]}